Validate SSLCertificate is defined

Validate SSLCertificate is defined when PublicSSLCertificateAutogenerated is False otherwise deployment fails at step4 without meaningful error messages due to public SSL endpoints not being properly defined in haproxy.cfg. Change-Id: I9e0dc2913848eec9919c86372dd151ca5808fb30
2022-02-01 19:20:30 -05:00 · 2022-02-01 19:20:30 -05:00 · d5701e6ceb
commit d5701e6ceb
parent 557a392c9a
2 changed files with 39 additions and 1 deletions
--- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml
+++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml
@ -290,7 +290,34 @@ outputs:
      host_prep_tasks:
        list_concat:
          - {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
-          - - name: Run puppet on the host to apply IPtables rules
+          - - name: Validate SSLCertificate is properly defined if PublicSSLCertificateAutogenerated is False
+              when:
+                - {get_param: EnablePublicTLS}
+              vars:
+                ssl_cert: {get_param: SSLCertificate}
+                auto_gen: {get_param: PublicSSLCertificateAutogenerated}
+                protocol: {get_param: [EndpointMap, KeystonePublic, protocol]}
+              block:
+                - name: Verify SSL certificate
+                  shell: |
+                    cat << EOF | openssl verify
+                    {{ssl_cert}}
+                    EOF
+                  register: openssl_output
+                  when:
+                    - ( ssl_cert | length ) > 512
+                    - protocol == "https"
+                  failed_when:
+                    ( ( "self signed certificate" not in openssl_output.stderr ) and ( "OK" not in openssl_output.stdout ) ) or ("expired" in openssl_output.stderr)
+                - fail:
+                    msg: >
+                      SSLCertificate is empty or too short and PublicSSLCertificateAutogenerated
+                      is False and at least one endpoint is configured with https
+                  when:
+                    - ( ssl_cert | length ) < 512
+                    - not ( auto_gen | bool )
+                    - protocol == "https"
+            - name: Run puppet on the host to apply IPtables rules
              no_log: true
              shell: |
                puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }} --detailed-exitcodes --summarize --color=false \
--- a/releasenotes/notes/certificiate-validation-1b08ab8cf40b7cad.yaml
+++ b/releasenotes/notes/certificiate-validation-1b08ab8cf40b7cad.yaml
@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Before this patch, invalid certificates would be detected close to the end
+    of the deployment.  In small environments, this comes fast but in an environment
+    with a large number of nodes, failures would come really late after a few
+    hours of deployment.   With this validation, it now fails before step1 at
+    host_prep_steps if the certificate is smaller than 512 bytes if UsePublicTLS
+    is set to true and PublicSSLCertificateAutogenerated is set to false.  It will
+    also use openssl to verify the state of the certificate and fail if the certificate
+    is invalid or expired.